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O. Presentation 


US 


This report tells the story of one of our journeys 
during 2018 as Sursiendo: living between the local 
and digital realm, we unpacked a research project- 
process that assessed digital security within gra- 
ssroot organizations in Chiapas. 


According to Lori Lewis and Chadd Callahan's 
study (Desjardins, 2018), based on data from May 
2018, per hour, more than 10.000 million emails 
are sent, 22 million apps are downloaded and 222 
million searches are requested. 


In Mexico, more than 65% of the population is on- 
line, as reported by Internet World Stats (2018). 


Today, Internet is crucial in understanding how our 
societies operate. Internet is present in nearly all 
social, political, economical and cultural spheres 
in Mexico and in the whole world. 

To be online is very important to most people. Also 
for human rights activism. 


But beyond numbers, we believe in focusing on the 
people, the "whom", the "how" and the "what". 
How we use and relate to each other through In- 
ternet, through what devices and programs. What 
is at risk when we are online. 


We like to think of Internet as a territory, "like the 
lived and heartfelt space embedded in our day-to- 
day", as Arturo Escobar (2010) defines it; territory 
as a setting of social relationships. This is why we 
perceive Internet as a social construct and our 
understanding of it implies grasping how it is pro- 
duced and 'inhabited". 
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But this territory, like many others, is threatened 
by neoliberalism, through surveillance and control, 
criminalization, deprivation/dispossession, (per- 
sonal) data marketing and a lack of ethics. Inter- 
net is a disputed territory. 


In this sense, during 2018, we decided to perform 
a research related to part of this dispute: digital 
security in grassroot organizations of Chiapas, ai- 
ming to assess what was happening in the region. 


In Mexico, digital security is at stake for organiza- 
tions, activists and human right defenders, as we 
have seen with the deployment of State survei- 
llance, the cases of Galileo (developed by Hacking 
Team) and Pegasus (by NSO Group) spy software, 
along with criminalization and censorship. 


Public institutions, technology corporations and 
organized crime put at risk the safety of defense 
and accompaniment work towards collective pro- 
Cesses. 


Our proposal was to perform assessment, based 
on popular education and participatory dynamics: 
workshops, questionnaires, interviews and online 
information sheets. We plunged into the partici- 
pants contexts, analyzed all this information and, 
finally, returned it back to the groups in a way that 
could help them improve their practices related to 
digital technologies standing on a solid foundation 
they could unfold in a long-term accompaniment. 


But, what is digital security? In some cases, it is 
defined as computer infrastructure protection and 


everything related to this and, specially, informa- 
tion contained in a computer or flowing through 
computer networks; in others, it is defined as the 
practices and tools that we use as users to pro- 
tect our devices, information and digital interac- 
tions. 


Both definitions describe realities, but, in Sursien- 
do, we prefer to frame "digital security' as digital 
self- defense and self-care practices that seek to 
improve our "digital lives' in a (long) journey to- 
wards technological sovereignty. 


Or, as some members of the organizations we wo- 
rked with described: "a series of habits, tools that 
one uses in their daily lives in order to protect in- 
formation/data" or "the possibility to move around 
in cyberspace/Internet without being at risk, at 
least not at risk if we haven't chosen to be; nel- 
ther me, neither the people that surround me, nei- 
ther whom | work with". 


We consider the concept 'security”, in itself, tricky 
and it has led to the state of surveillance in which 
we are immersed today. 


It is impossible to be 100% 'safe and secure", but 
we can take measures to look after our digital in- 
teractions and, in consequence, look after our wo- 
rk as defenders and activists. 


However, due to the fact that the concept of digital 
security' is now generally used to talk about these 
topics, we will adopt it during the whole report. 
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This assessment process followed eight organi- 
zations in Chiapas that work in different areas: 
human rights, migration, womens' rights, land and 
territory rights, accompanying grassroot groups, 
communities (rural and/or indigenous) that resist 
against the "development extractivist model” and 
sustain alternatives. In order to ensure confiden- 
tiality and protect their work, we do not mention 
their names in this report. 


In the following pages, we synthesize what has 
happened in terms of digital security in Mexico 
and Chiapas, what findings have come up in the 
research and what needs and challenges emerge. 


We would like to thank the organizations for their 
participation and trust in this journey that still 
unravels. Also to the Human Rights Center Fray 
Bartolomé de las Casas (Frayba), that has shared 
their experience and Paola Ricaurte for her contri- 
butions to this report. 


L Context ot Suvveillance 


The sociologist and researcher David Lyon defines 
surveillance as "any focused, systematic and day- 
to-day attention to personal details for the purpo- 
ses of influence, management, or control" (Bau- 
man and Lyon, 2013). 


But, in the digital era, surveillance isn't only quoti- 
dian, it is pervasive: a harvesting of information 
that isn't necessarily directed and focalized any- 
more but mainstream and generalized, implemen- 
ted by State, corporations, mainly in the US and 
European headquarters. 


One of the organization directors says: "l think 
that it's easy for those who want to have your da- 
ta”. Another participant shares: "to say '| don't ha- 
ve anything to hide' is very easy, but we all have 
things that we don't want to be around". 


Furthermore, all the data collected on digital ne- 
tworks tends to be stored several times, in diffe- 
rent locations and during an indefinite period of 
time. Data collection, storage and analysis is an 
automatic process that doesn't require a great 
deal of effort (albeit many resources), so it's ge- 
nerally easier to just take it all in case in comes in 
hand afterwards. In addition, mainstream corpora- 
te platforms don't present transparent information 
on how they use the data they store. Having con- 
trol over your own data isn't always possible. 


"In summary, digital communication surveillance ¡s 
pervasive, automatic, effective and always alive. You 
can encrypt communication but it's difficult to hide 
patterns and interrelationships" (Sparrow, 2014). 
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We underline the relevant words of Jorge Hernán- 
dez (Frayba) in one of the interviews of this re- 
search: 


"the first challenge as human right defenders ¡is 
that we have to know exactly where we stand, we 
can't be 'innocent and naive', we can't ignore the 
context and the interests that we are revealing; 
secondly, even though the State is, in first place, 
accountable in protecting the work (and workers) 
of defending human rights, safety and security is 
personal, it is mine and that of my collective, wi- 
thout exempting the State of this responsibility. 
We have to take into account that we live in an 
oppressive State, a State that spies on us; a Sta- 
te that deploys fear and repression as a mean of 
control over the population”. 


In Mexico, there has been several cases of survei- 
lance and criminalization through Internet; pur- 
chase and use of spying software against 
activists, journalists, human right defenders. The- 
se cases have been documented and analyzed by 
human rights organizations. Cases that we depict 
in this report, based on news and published reports. 


The Constitution of Mexico acknowledges the res- 
pect of human rights. Amongst other rights, it es- 
tablishes the protection of the right to privacy 
related to information about our private lives 
(about ourselves, our family, residency, documen- 
ts, belongings) (Laurant and Laguna Osorio, 2014). 


The Federal Institute of Information Access and 
Data Protection (Instituto Federal de Acceso a la 
Información y Protección de Datos - IFAl-) is an 
institution in charge of protecting individual rights 
in matters of data protection. Whilst the only fe- 
deral law that addresses data privacy and protec- 
tion held by individuals is the Federal Law on 
Protection of Personal Data Held by Individuals 
(LFPDPPP), passed by the Congress of the Union 
in July 2010. It's application scope includes indi- 
viduals and companies, but not governments or 
other public entities (Laurant and Laguna Osorio, 
2014). Furthermore, the Supreme Court also es- 
tablishes that private communications are pro- 
tected, by Constitution, from "real time" 
surveillance , as well as from interference of the 
hardware where this information is stored. 


In summary, spying is prohibited explicitly in the 
Constitution. There is a legal framework for the 
protection of personal data amongst individuals 
but, in terms of spying performed by government, 
the legal mark is lax (Rodríguez García, 2017). 


In Mexico, there isn't a specific regulation of highly 
intrusive surveillance tools like spy software. Ho- 
wever, jurisdiction acknowledges the possibility 
that some authorities request federal judicial au- 
thorization in cases of intervening private com- 
munications for specific means (R3D, 2017). 


In 2009, the Federal Telecommunication Law was 
modified so that telecommunication service pro- 
viders have to store communication data traffic 
(metadata), including the type of communication, 
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services used, source and destination, date, hour, 
duration and geolocalization of the communication 
devices for at least 12 months. 


In 2012, the Federal Telecommunication Law was 
modified again, establishing that telecommunica- 
tion companies had to cooperate with General and 
State Prosecutors, providing them with real-time 
cellphone geolocalization without court order. 


In 2013 (though published in 2014), more changes 
appeared that involved extending communication 
surveillance methods. Telecommunication service 
providers must store metadata for 24 months and 
may store them during an indefinite period of time 
if requested, just once, by a government authority. 
These changes also allow authorities beyond the 
penal system, like CISEN, the Army, the Navy and 
Federal Police to determine the real-time mobile 
communication geolocalization without court or- 
der, under the vague and ambiguous statement of 
combating crime (LFTR, 2014). 


In the last years, laws, regulations and national 
budgets related to surveillance have gone under 
drastic changes. Regarding the context of the 
misnamed "war against narco/drug dealing" , dri- 
ven by international cooperation agreements re- 
lated to security such as the Merida Initiative, 
Mexico has experienced a series of legal reforms 
that allow an increase of available surveillance 
power and techniques for security agencies, both 
for crime investigation and prosecuting, as well as 
"national security threat" prevention. 


For the international organization Article 19, these 
measures attempt against human rights because 
they lead to "mass surveillance". "They are ena- 
bling the ability to collect all our online communi- 
cation data and activity without judicial control. In 
other words, the Army can demand our Internet 
provider a record of our communications. In addi- 
tion, there's a platform that monitors in real-time 
every step we make, where we are, with whom we 
meet and whatever digital trace we produce", po- 
ints out the organization (CNNMéxico, 2014). 


99% of the times, communication surveillance is 
illegal, according to the report by the Network in 
Defense of Digital Rights -Red en Defensa de los 
Derechos Digitales- (Pérez de Acha, 2016; R3D, 
2016). The laxity of the Mexican State regarding 
spying hasn't changed even after the multiple do- 
cumented cases and controversies related to in- 
formation leaks in the news. 


It is clear that (the techniques and power of) sp- 
ying/surveillance is not being used to prevent "na- 
tional security threats” or to stop crime or drug 
dealing/narco. Most of the times, they are deplo- 
yed against people that question and challenge 
(the practice of the current) power, against human 
right defenders, journalists, activists, etc. In the 
last years, different cases of how the Mexican 
Government has used programs to spy on the be- 
fore mentioned groups have been revealed. An 
essential part of this strategy has been to rule 
over the media with an 'iron fist' and silence criti- 
cal voices, including those on Internet, and, in 
consequence, limit the freedom of expression. 
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Since 2007, reports related to the cooperation 
between the Mexican Government and the United 
States -in matter of phone call and email inter- 
vention with Verint company equipment- have 
been published. 


In 2012, contracts made by the National Defense 
Department to hire surveillance technologies were 
disclosed. This equipment can monitor emails; in- 
tercept calls, voices and background noises; cap- 
ture images; extract SMS, MMS, contact lists, 
calendars, GPS localization and screenshots; ac- 
cess and manipulate system files, SIM card and 
hardware information, etc. 


One year later, the Canadian organization Citizen 
Lab revealed that Finfisher spying software (by 
the English company Gamma International and 
Italian company Hacking Team) was used to spy 
on human right defenders, activists and journalis- 
ts (Flores, 2015). At the time, Wikileaks shared 
with daily newspaper La Jornada information 
about these companies: Gamma Group and Ha- 
cking Team sent some of their members, in 2013, 
to Mexico. The same year, media echoed informa- 
tion about contracts that the Attorney General's 
Office made to hire spying software in 2012 (Re- 
forma, 2013). 


Between 2014 and 2016, more information came 
out, pointing out that "Mexico is the country that 
has invested more money in Hacking Team and ci- 


tizen surveillance" (Lacort, 2015). This coverage 
detailed what institutions and state departments 
hired these services and how much money they 
had spent. 


In 2017, the campaign HGobiernoEspía (Spying 
Government) was launched, in which Mexican or- 
ganizations, with support of Citizen Lab and other 
media (like The New York Times) (Ahmed y Perlro- 
th, 2017) gave evidence that Federal Mexican Go- 
vernment and state departments had purchased 
and used Pegasus sypware (by the Israeli NSO 
Group) against journalists, human rights defenders 
and activists, thus severely violating their rights. 


Installing this sophisticated spy software allows 
the attacker to take control of different cellphone 
functionalities and access content and, in conse- 
quence, monitor every detail of someone's life th- 
rough their phone. Despite allegations, in 
September 2018, Citizen Lab confirms that Pega- 
sus software ¡s still active in Mexico. 


"There is an impressive record of our lives -inclu- 
ding private, intimate and family-related aspects 
of our lives- on all possible digital means", reflects 
a communication lead of one of the participant or- 
ganizations of the research. 
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13 The context of Suvveillance im 
Chagas 


In 2010, Héctor Bautista, member of the libre/free 
software community and InfoChiapas.com site ad- 
ministrator was arrested by the state police, accu- 
sed of child pornography. His computer and 
external memory devices were confiscated. Appa- 
rently, the real reason of the arrest was because of 
an article Héctor had published, addressing the go- 
vernment's debt. He was in custody for 40 days 
and then released (SIPAZ, 2010). 


Three years later, in 2003, Gustavo Maldonado was 
arrested (Mariscal, 2013), accused of drug dealing. 
Á case full of irregularities. Maldonado was critical 
with the Chiapas government on social media. 
Months before, Maldonado summoned a protest in 
defense of water and land rights in Tuxtla (capital 
city of the Chiapas state). The same evening of his 
arrest, Maldonado had published a video and retwi- 
tted information related to Blackeyed Hosting Mo- 
nitors, surveillance equipment used to trace digital 
activists in Chiapas. Maldonado was released after 
90 days of arrest (Robles Maloof, 2013). 


On the 8th of July 2015, Wikileaks published more 
than a million emails filtered by the Italian malware 
surveillance provider Hacking Team. The Chiapas 
government was included in the list of possible 
clients (Wikileaks, 2015). However, negotiations 
seem to have started one year before, as mentio- 
ned in an email dated on February 2014, by a White 
Hat Consultors employee, a company "specialized 
in information security and cybersecurity, and fo- 


cused on clients from the government, finance and 
service provider sector". In June 2015, an emplo- 
yee of the Mexican company Heres declares that 
they had established communication with two go- 
vernment dependencies of Chiapas related to the 
"security area", interested in Hacking Team's pro- 
posal and services. 


The general context of violence and persecution in 
Chiapas has increased in the last years. And in 
ways that before weren't conceivable. In one of 
the interviews of our research, a human rights de- 
fender, with many years of experience in the State, 
told us with surprise: "Yes, [surveillance] is incre- 
dible right now, like science fiction. Big Brother is 
watching you. Everyone knows. We're discovering 
things that we thought weren't possible. Neither 
at a technological level, neither at an ethical le- 
vel”. Likewise, in another interview: during the ac- 
tions against structural reforms, groups that work 
for State Security "installed a van and recorded 
many things; a word repeated many times catches 
their attention, they trace where it's coming 
from". 


Also, in the last 10 years, phone intervention (both 
human rights defenders' personal devices like or- 
ganizations' phones), criminalization, hostility, 
physical persecutions have increased considera- 
bly. Although, as some participants mention: "la- 
tely, | see it's not necessary to physically appear; 
if they do, it's because they want you to know you 
are being watched. But, nowadays, obviously, all 
this surveillance leaks into phones, email accoun- 
ts, the dron that hovers above your house and you 
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don't even realize, satellite localization, the ca- 
meras on the streets of Tuxtla or Chamula. There 
is an impressive record of our lives, including pri- 
vate and intimate aspects of our lives and those 
of our family, recorded in all possible digital 
means”. 


Metadata 


Communication metadata is data about an individual's communication, for 
example: the sender and receptor's telephone number; date, hour and dura- 
tion of a communication; SIM card (IMSI) and device (IME!) identifiers; an- 
tennae localization data generated when we connect to them through our 
cellphones. 


Generally, metadata collection, storage and analysis is minimized, specially 
related to communication content. However, communication metadata can 
reveal as much or even more personal information than the content of com- 
munications in itself. 


SOURCE: Red en Defensa de los Derechos Digitales (R3D) (2016) El estado 
de la Vigilancia: Fuera de control. https://r3d.mx/wp-content/uploads/R3D- 
edovigilancia2016.pdf 
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We worked with eight social organizations of the 
State of Chiapas in this present research. The se- 
lection process criteria was based on the previous 
knowledge we had on the work of these organiza- 
tions and the different areas of human rights each 
organization works with. 


We worked with organizations all over Chiapas 
dedicated to the defense of human rights, land ri- 
ehts, womens' rights, migration rights, education 
rights, distributed in different areas of the region. 


With the intention of contributing to this research, 
we also gained input from the Human Rights Cen- 
ter Fray Bartolomé de Las Casas (Frayba), that 
has been developing their own digital security 
process for the last eight years. Jorge Hernández, 
member of this organization, mentions that Frayba 
considers holistic security as part of their political 
standpoint because, according to their analysis: 
"there is no such thing as low profile human rights 
defenders; we all fiddle with interests that the 
State wants to keep untouchable; we point out 
things that the State doesn't want to reveal and, in 
this sense, all human right defenders are at risk." 


Throughout the assessment process, we worked 
with a participatory methodology and used five di- 
fferent research techniques in order to perform a 
deep analysis that allowed us to establish a sort 
of 'base line' of the current grassroot digital secu- 
rity context in Chiapas. 
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The main goal of this research is to gain insight on 
the particular needs of each participant organiza- 
tion so we can adapt mechanisms that foster a 
digital security (practices and tools) appropriation 
in their human rights work. As we mentioned be- 
fore, even if the State is liable for ensuring human 
rights activism, we can't trust them to do so. This 
is why human right defenders assume that they 
have to undertake their own digital care. 


The assessment is based on five information 
sources: 


- previous research including available public in- 
formation about the participant organizations and 
the most visible members (in total 8); 

- Oon-site assessment workshops with participant 
organization members (in total 8); 

- field notes we took during the workshops; 

- completed questionnaires we handed out the 


participant organizations about basic digital tech 
use and their perception on their organizational 
security, etc (in total 71 completed questionnai- 
res); 

- in depth interviews with some of the members of 
each participant organization we worked with (in 
total 16). 


In terms of the methodology, the three main parti- 
cipatory tools we were inspired by were: 

- — Participatory Action Research (PAR) 
(https://en.wikipedia.org/wiki/Participatory_ac- 
tion_research), a community research approach 
that underlines implication and action. This appro- 
ximation seeks to understand the world whilst 
transforming it, collaboratively and through reflec- 
tion. 

- Inform-action, tool developed by Mining Watch 
Canada, the Mining Conflict Observatory of Latin 
America (Observatorio de Conflictos Mineros de 
América Latina) and the Environmental Conflict 
Observatory of Latin America (Observatorio de 
Conflictos Mineros de América Latina) that 
addresses the different people/agents involved 
through data mapping. 

- Digital Security Assessment for Human Rights 
Organizations: A guide for facilitators (Diagnósti- 
cos en seguridad digital para organizaciones de 
derechos humanos y derechos territoriales: un 
manual para facilitadores), designed by Técnicas 
Rudas that, based on the classic risk model, exa- 
mines uses, risks and threats for organization 
members in the digital realm. 
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In different moments of this research, we used 
analogue methods. Data analysis was one of the- 
se moments. We believe that we "think better” on 
paper. For this reason, we wanted to use other te- 
chnologies to combine diverse voices we gathered 
through the previously mentioned information 
SOUrces. 


One of the workshop participants mentions: "it's 
super interesting how we visualized the intercon- 
nections amongst us in this exercise we did with 
Sursiendo. Everyone is there. We are all interre- 
lated. And everything that we use". 


Finally, we would like to point out that, as part of 
this initial assessment and research phase, we 
decided, as an essential task, to perform works- 
hops as a way of "returning back" research results 
to the organizations, along with the generosity 
and trust they shared with us. For those of us that 
participate in this research proposal, it is funda- 
mental to drop out of the current extractivist mo- 
del, including the information and research field 
where, rarely, the people subject to the research 
receive benefits. So, in the last part of the year, 
we organized these meetings where we returned 
back this information and put into practice some 
learnings that emerged in the research. 


LU Some Findina5 


"We've even had to take out our personal mail ac- 
counts from our organization site", says a coordi- 
nator from one of the participant organizations 
from Chiapas in this assessment process. This 


statement ¡is very significant: it reveals what In- 
ternet has become for most human rights defen- 
ders and activists. 


Our personal data, means of contact, location or 
itineraries, comments about our family, vacation 
photos, sensitive data about our partners, etc. can 
be used by people that hinder human rights work. 
Add to that, using insecure networks, apps that 
profit from our data, software easily monitored, 
devices that are robbed or lost: our vulnerability 
increases. 


SENSITIVE INFORMATION TO SHIELD 


"Most information is sensitive, confidential and 
the mechanisms we deploy are insecure and vul- 
nerable”, mentions one of the participant organi- 
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zation members. Furthermore, this person underli- 
nes, like other participants, that the most impor- 
tant information is that of the people and 
processes they accompany, along with personal 
and family data. 


Broadly speaking, we have noticed a concern 
around surveillance that some institutions (local, 
state, national and international), organized crime 
and extractivist companies operate in the region 
(mines, hydroelectric power plants, etc.) Mostly in 
the collection of localization, family-related and 
personal data that puts at risk people that work in 
organizations and those who collaborate with 
them and are in their immediate surroundings. Al- 
so, there is a fear of loosing control on their data 
in their internal management, their organization 
and strategic documents related to their human 
rights work, accompaniment and projects. 


"| know that it is all controlled by the State, that 
someone can use your personal data, the data you 
upload, identity theft and many other things. 
That's why Ive always been careful in not 
uploading things, keeping them safe, trying to pre- 
vent (...) or the same information that puts me 
and those close to me at risk", claims one of the 
womens' rights defenders that participated in the 
assessment. 


Specifically, there is a common concern around 
privacy violation related to communications, spe- 
cially in situations of online articulation or when 
monitoring activities/events. For example, there is 
a concern of not being able to have video calls at 


ease, fearing that they will be intercepted or what 
they say will be monitored/collected; or that third 
parties will access their message exchanges via 
Whatsapp or any similar app, both in their day-to- 
day but, specially when performing certain activi- 
ties. The use of email, fundamental work tool for 
organizations, also implies known risks for human 
right defenders like information leaks and malware 
or virus infection. 


Social media (like Facebook or Instagram) is also 
a worry due to these information leaks, informa- 
tion that we publish or is available to the com- 
pany. Also as a source of harassment. Also 
browsing and searches, when we trust an almigh- 
ty company like Google, through a Chrome Browser 
or it's search engine. 


There are also concerns related to information 
stored on desktop computers, hard disk drives or 
any other device where organizations archive their 
work (through photos, reports, videos, records, 
contact lists). This information can be accessed 
(without consent by third parties) both via Inter- 
net or physically, which entails potential data 
theft that can be used or deleted afterwards. The- 
se risks hint care mechanisms we can undertake 
related to such information. 


DEVICES 


In terms of digital tools used in grassroot organi- 
zation work, the main devices are cellphones and 
computers, as expected, and, in many cases, also 
hard disk drives and cameras. 


The use of email, 
fundamental work 
tool Lov 
ovaanizations, also 
tmplies Known visks 
Lor human viabt 
defendews like 
information leaks 
Omd malwove ov 
Virus infection 


Thus, computers are crucial when addressing digi- 
tal security. During the assessment, we found 
that nearly all participant organizations use desk- 
top computers with Windows operative system 
(except one case that used Linux). This is the first 
risk factor because it is well known that Microsoft 
software enables information leaks (Crespo, 
2016), due to flaws and the company's policies. 
For example, the use of 'backdoors' is common: 
remote non-consented server access to devices. 


It is also known that Microsoft has collaborated 
with security agencies (like the NSA), providing 
them with thousands of users data (Tubella, 
2013). Also, Windows programs are susceptible to 
virus, malware and spyware. 


Antivirus use isn't as generalized as we thought 
(no program installed or out-of-date software), 
neither is the use of complex passwords for devi- 
ce and platform service access. 


Cellphones become even more relevant. They are, 
inherently insecure: we tend to have them on us, 
constantly connecting to different antennae and 
networks, easily lost or robbed. Users generally, 
for commodity, store lots of information on their 
smartphones and usually connect to different co- 
mmunication platforms. Main cellphone operative 
systems don't adapt much to individuals particular 
needs and, most of the time, we must trust blindly 
the apps we install (and others can't be uninsta- 
lled). These characteristics make cellphones a 
"window towards the world", through which we o0b- 
tain information and communicate, but also th- 
rough which important data spills out without us 
knowing. 


The recommended practice of backing up data on 
external hard disks is common amongst organiza- 
tions. But a clear and realistic backup policy is 
necessary in order self/collective care convenien- 
tly. We also found that USBs are used for storage 
even though they are very vulnerable devices. 


SOFTWARE 


Regarding apps and programs used, apart from the 
operative systems we mentioned before, we o0b- 
serve the constant use of commercial social me- 
dia, specially Facebook; Skype (Microsoft 
proprietary software) videocalls; cloud storage 
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(via Dropbox or Google Drive); email through Gmail. 
All of these options are not advisory due to the 
fact that they are proprietary: they can't be au- 
dited and they belong to corporations that are 
allies of authorities. Whatsapp is another exam- 
ple. Also, they are more targeted by security brea- 
ches and virus as they are more mainstream and 
commercial. 


In the assessment workshops, participants were 
interested in understanding what malware actually 
is and what type of metadata affects our security. 


AGENTS/ACTORS 


Amongst the organizations, the same agents tend 
to come up in terms of whom could be interested 
in the sensitive data they (the organizations) 
handle and could be accessed without consent. 


Federal government entities (mainly attorney ge- 
neral's office, federal police, the Research and Na- 
tional Security Center -CISEN-), the Chiapas 
eovernment, state police and some secretaries; 
local government and police forces that assist 
them; parapolice that tend to be tolerated (some- 
times even driven and supported by) government; 
organized crime and drug dealing/narco groups; 
extractivist (mines, water extractivism, intensive 
agriculture, tourism, etc.) companies interested in 
the region. Other actions mentioned are: intelli- 
gence services, both national/Mexican -like Cl- 
SEN- and international -like the CIA (USA) and 
Mossad (Israel), that have means and resources 
to obtain information and seek cooperation from 
social media platform owners. 


In addition, each participant mentions local ac- 
tors. In case of women rights activism, these local 
agents are a main threat. 


Participants also point out that, in many occa- 
sions, agents are coordinated or conspire toge- 
ther, "police and organized crime is sometimes the 
same thing” or that the government's negligence 
(at different levels) in protecting human rights 
becomes part of the problem. 


INCIDENTS 


To wrap up these findings, we underline the secu- 
rity incidents that some organizations have sha- 
red with us, in many cases related to data and 
information. For example, noise and interference in 
office and personal phone lines, threats through 
messages or phone calls, forced entry in offices or 
other buildings. Also, on-site or remote surveillan- 
ce in events or infiltrations in meetings, files that 
disappear on computers. 


Slander through social media (specially on Face- 
book and Whatsapp chain messages). These men- 
tioned practices infringe human rights defenders. 


Finally, we want to echo comments regarding the 
need for funders to be more aware of digital secu- 
rity in order to establish safer communication with 
erantees and look after, in each moment, the infor- 
mation they share and store, and, in consequence, 
the processes they support. Organizations defend 
that digital security is holistic and collective. 
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We have found people that want to learn new 
tools and acquire practices that reduce the risks 
that emerge in their work and activism. Even 
though there are different levels of knowledge and 
experience, the intention is to make an effort and 
support each other, walk together in that direction. 


"An agreement regarding security implies that 
many people are in the same channel and that is 
complicated. If it's already complicated to do so 
amongst a group, even to communicate via Tele- 
gram instead of Whatsapp; or download Signal 
which for many is a drag or they don't understand 
how to do it or they don't have enough storage on 
their phone... You end up using the same damn 
thing as always." 


¿Se Challenges Ond needs 


During this research journey, we have encountered 
big challenges. Particularly, we have ratified, by 
the participants themselves, the hows and whys 
of the need to address "digital security” within the 
organizations. Even though we have observed that 
the participant organizations are concerned about 
digital security, there are many challenges. Rai- 
sing awareness amongst those who do not share 
this concern is the first step. 


In itself, enabling a real long term "appropriation' 
process is a challenge. In the context of our work 
with these organizations and groups we intend to 
follow-up, we lack enough long term exercises and 
appropriate tools that can help us 'measure' re- 
sults. Creating these tools is, in itself, a task yet 
to be done. 


Jorge Hernández, from Frayba, an organization 
that has already walked this walk of appropriation, 
tells us: "it has been a step-by-step process, 8 
years. Seeking bonds with other collectives that 
want to support you is essential”. Jorge also tells 
us about the relevance of capacity building tools 
like Moodle, tools available online so you can have 
a look at information when you need to, document 
learnings and systematize processes. 


It is important to understand that guides and 
learning platforms are necessary in the extent 
that they relate to the actions and tools visuali- 
zed and shared during the workshops, not as a 
substitute of these face-to-face moments. In this 
sense, having the capacity to provide 'sufficient' 
accompaniment in order to reduce moments of 'an- 
xiety' and frustration on the way is indispensable. 
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Groups and organizations that do accompaniment 
in this field know how important the process is. In 
the context/framework of adopting new technolo- 
giles in our digital self-defense, this characteristic 
entails it's own challenges. 


Firstly, we stumble upon the fact of integrating 
digital security' as part of an array of digital se- 
curity' actions/practices. In many occasions, acti- 
vists and human right defenders perceive 
information and communication intrusion as so- 
mething that can happen to others, but not to 
themselves. 


Also, there are groups that have a lot of workload. 
In this sense, time management (work flows, task 
management ) becomes relevant in order to ensu- 
re that digital security is useful at long term. We 
have also observed a certain rooted fear towards 
new technologies. Resistance towards "the new 
is very common. The perception that technologies 
are for experts" slows down the appropriation 
process. 


If we also take into account the increase in cell- 
phone use and the contradictory feeling of 'being 
at risk' and 'need' that human right defenders go 
through when using them, the scenario become 
more complex. 


We include a reflection from one of the participan- 
ts: "an accompaniment with a clear time-line, 
starting with simple things and taking our time is 
important; it would be good to specify 'deadlines' 
so we can realize that it needs to be in our plan- 
ning route and taken seriously by the team". 


It is also important to consider the need of crea- 
ting collective agreements within the organiza- 
tion, agreements that come from the members 
and related to the practices that they acknowle- 
dee as 'insecure' and those concerning sensitive 
data, as well as the willingness of transformation 
and learning that it will imply. These agreements 
must be firm and gradual. They imply a certain le- 
vel of commitment, on behalf of those that ac- 
company and those who are guided. 


In this phase, we prioritize “simple” resolutions 
that entail transforming rooted habits and can be 
adopted by all members on board. We observe that 
the relationship person-device requires a 1:1 
attention which means adapting time and efforts. 
Building trust in technology use is essential when 
enabling long term change. One must go back to 
the same place, repeat, again and again. 


"There are things that will be short, mid and long 
term. Some that are precisely habits we don't ha- 
ve and don't perceive as necessary because we 
are not used to questioning them until something 
happens”, says one of the participants. 


Popular education shows us to 'go at the pace of 
the slowest comrade”. This is an aware agreement 
we establish amongst all in the accompaniment. 
However, in practice, this implies attention, com- 
mitment, patience and a shared perception that 
we are still learning. 


In this sense, another challenge is breaking the 
'stigma' that orbits the difficulty to improve our 
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digital practices and use of operative systems 
and/or FLOSS software. We believe that, in order 
to make this a reality, we need to 'embody ¡t', 
which means that each person can learn from 
their own experience and not just observing the 
errors, what is wrong, or just providing a "technical 
solutionism', but also actions, gestures of mutual 
support where we can, together, ask ourselves, 
solve, manage in collective. And, of course, dis- 
mantle the still established myth that "using li- 
bre/free technologies is safer but harder". 


As we mentioned before, there are different levels 
of knowledge related to technologies within the 
organizations. For some, it was their first appro- 
ach to digital security. Implementation, in these 
cases, was significantly different to those who 
had already been in workshops. 


e 


We found that organizations don't have people in 
charge of computer/technology aspects, not even 
an external service provider of trust that can 
assess their tech equipment. 


Typically, even if they have been, to a certain de- 
eree, helpful, the digital security workshops the 
organizations are invited to summon few mem- 
bers of the different organizations and cover a lot 
of tools and information in a short period of time. 
It's just an "appetizer” and, from the experience of 
the participants, this model doesn't manage to 
help them ground practices or convey this know- 
ledge to their colleagues within their organization. 
The learning gets stuck, without a day-to-day 
application. 


Regarding the necessary accompaniment, com- 
ments point at a more practical, simple and gra- 
dual process. Others added: "l don't like 'express' 
capacity building because we are slow and | think 
we don't grasp well (..) We go step by step. 
Perhaps, in a first implementation phase, we could 
put in practice some simple things and see how ¡t 
goes and then carry on with others. In sequence. 
Not all at once”. Participants included in the re- 
flection the emphasis of evaluating each step in 
the process because, until then, the eventual wo- 
rkshops they had been part of hadn't taken into 
account some type of follow up. 


On this, an internal capacity building aimed at 
sharing practices and tools is fundamental. Initial 
efforts should create baseline agreements around 
digital security that all participants can imple- 
ment in their teams. 
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Not all members of the organizations handle sen- 
sitive data that require more intensive care and/or 
such information is centralized in one or several 
people. Under such circumstances, re-adapting 
the learning process related to each work area 
that the organizations needs and creating more 
careful information transmission and storage poli- 
cies is essential. 


Lastly, it's worth mentioning that some participants 
referred with enthusiasm to the possibility of transi- 
tioning/migrating to libre/free software: "| haven't 


used it and | don't know much, but | think it's an op- 
tion that aligns a lot with the discourse we have, 
which is, basically, a non governmental organization 
discourse in which we resist against certain ma- 
tters. lt seems cool to match discourse with action". 


Jorge Hernández from Frayba also comments so- 
mething on the same lines: "because of a political 
congruence, | mean, if we are an institution that is 
up for counterbalancing/going against the system 
and we are fattening the richest man's pocket and 
we don't have control over the programs we are 
using... That's why we decided to migrate towards 
libre/free software". 
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2. Conclusions 


As we have mentioned in the "Context" section of 
this report, Mexico has experienced several docu- 
mented surveillance cases against human rights 
defenders, journalists and activists. 


This is a good enough reason to assess digital se- 
curity within grassroot organizations in Chiapas 
and also around digital platform data treatment 
that violates privacy and other rights. At present, 
organized civil society is aware of the situation 
and the need to review and address these emer- 
ging issues. "Better safe than sorry”, better to an- 
ticipate any  circumstance and have the 
knowledge and tools that foster our security and 
safety. Also in the digital realm. 


In this research we worked, based on participatory 
methodologies, with elght organizations with ack- 
nowledged trajectory in Chiapas. lt was very nur- 
turing for us to share this mutual learning path 
which, in some cases, will evolve into a more per- 
sonalized accompaniment. 


We have witnessed that holistic security is part of 
these organizations” work. In their activism and 
pursuit of defending the respect of fundamental 
rights, many times they are at risk. Their are 
agents/actors that hinder and violate these rights, 
some of them we know well. For these reasons, 
organizations want to adopt digital self-care in 
their practices. Furthermore, putting emphasis on 
the political discussion of digital security ¡s 
essential in order to translate it to a collective 
practice in civil society. 
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As we claimed some months ago on this topic: 


"We are interested in doing it from a collective ri- 
ehts perspective. The people whom we work with 
expect us to, apart from help with technical pro- 
blems, understand the problems that emerge in 
their activism and talk to them in languages that 
are closer to them. We need to create languages 
as a common ground [because no, they are not in- 
vented: there is still a huge gap between front line 
defenders language and those who defend the te- 
rritory of Internet]... Let's try the self-defense and 
technological sovereignty perspective from a co- 
llective creation of answers we need. The people 
that seek us for support, assistance in problems 
related to surveillance, harassment or intimidation 
expect us to guide them [also] with tenderness" 
(Sursiendo, 2018) 


This assessment is a milestone in raising aware- 
ness about the threats, the actors/agents invol- 
ved, the practices we deploy and the digital tools 
we use. Adopting new routines and software ¡sn't 
an immediate process. The difference lays in the 
ways we transit these processes of use and 
appropriation. "there's an emerging approach of 
working with technologies from a social perspec- 
tive that touches people, that goes to where they 
are. Through inhabiting these spaces, we can 
break with the idea that 'inclusion' means 'brin- 
ging' people to our spot, our lens, our ways of do- 
ing tech; and understand that inclusion is 
multi-directional". (Sursiendo, 2018) 


Grassroot organizations ask us to focus our ac- 
companiment, offer more time, walk little by little, 


starting with the basics. Those whom work in this 
area should do accompaniment as a slow and 
constant process, towards all organization mem- 
bers, adapting to their needs, with support mate- 
rial and asking for commitment on the 
organizations behalf, creating firm and long term 
agreements. It's been and still is a great opportu- 
nity to learn and also a challenge. 


We will continue to defend collective digital rights 
and fight for this Internet territory, so it can beco- 
me more open, free, inclusive and biodiverse. 
Cheers. 
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